On March 10 2022, the UK Information Commissioner’s Office (ICO) handed down its first Monetary Penalty Notice in respect of a ransomware attack and data exfiltration incident under the UK General Data Protection Regulation (GDPR) against the criminal defense firm Tuckers who suffered from a ransomware attack in August 2020. This ICO enforcement action highlights that ransomware attacks can lead to fines against the victim of such an attack and provides valuable guidance on what IT security measures companies should consider.
The Monetary Penalty Notice is timely, given the ICO’s recent release of is “Guide on Ransomware and Protection Compliance”. According to the Verizon Data Breach Investigations Report 2021, the number of ransomware incidents has doubled over the past year alone. Since 2019, threat actors have engaged in a secondary method of cyber extortion where they threaten to publish data taken by them from a victim’s system. This tactic is commonly used in incidents across the globe.
During the Tuckers incident, threat actors gained access to and encrypted over 900,000 digital files with a substantial number being related to court bundles. The dataset exfiltrated by the attacker and published on the dark web contained over 60 court bundles for historic and live cases.
The ICO found that Tuckers failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures pursuant to Article 5(1)(f) GDPR. The ICO also raised concerns with compliance with Articles 5(1)(e) (data minimisation), 25 (data protection by design), 32(1)(a) and 32(1)(b) GDPR (technical and organisational measures).
In its decision, the ICO frequently referred to Tucker’s Data Protection Policy and the lack of compliance with measures set forth therein. This is a key demonstration that the existence of a document is not enough to achieve compliance with the GDPR. Further criticism focussed on:
In relation to exfiltrated data being published on the dark web, the ICO found that the release of personal data was likely to increase distress to individuals. Such commentary is in line with the European Data Protection Board’s guidelines on data subject notification insofar as the exfiltration of data released earlier this year.
The penalty was initially levied in line with 3.25 percent of Tuckers’ annual turnover. Whilst the ICO did not consider that any factors should increase the fine (such as Tuckers’ failure to comply with the Solicitors’ Regulation Authority code of conduct), however, application of significant factors were applied to reduce the amount of the fine to £98,000. Tuckers’ made representations on remedial measures employed, their own financial position and representations made in relation to managing IT staff illness.
The ICO’s decision serves as a timely reminder in the United Kingdom and Europe that having GDPR policies that comply with the GDPR may not equate to GDPR compliance if the policies are improperly implemented and enforced. Organisations must ensure that plans outlining stringent technical and security measures are adhered to or be subject to the magnifying glass of the regulator in the wake of an incident.